API Changes - Token Expiration

[tmilewski]

On 11/8 Venmo will be deploying changes to how they grant long-lived tokens to API consumers. This does not affect tokens that have already been granted.

• Tokens issued through the server-side authentication flow will no longer be non-expiring. These tokens expire after 60 days.
• To refresh these long-lived tokens, clients can exchange a refresh token (the refresh_token field included in the server-side authentication response) for a new access_token, refresh_token pair. Note that exchanging a refresh token for new tokens must be done only after the associated access token has expired.
• An expires_in field will now be included in the server-side authentication response. The value is in seconds.

---

Old Response:

{
"access_token": ACCESS_TOKEN, 
"user":  {...}
}

New Response:

{
"access_token": ACCESS_TOKEN,
"user": {...},
"refresh_token": REFRESH_TOKEN,
"expires_in": 5184000
}

---

After the token has expired, you need to POST to /oauth/access_token with REFRESH_TOKEN, CLIENT_ID, CLIENT_SECRET and receive a new access token, refresh token, and time to expiration.